JT
JT Exams
Log inStart Free Trial
SecurityA+

Windows Security Settings for CompTIA A+ 220-1102

Windows includes comprehensive built-in security features that A+ technicians must know how to configure. CompTIA A+ 220-1102 tests BitLocker, Windows Defender, UAC, local security policy, and auditing. This guide covers every Windows security configuration concept in the A+ Core 2 objectives.

10
6 sections · 8 exam key points
1 practice questions

BitLocker Drive Encryption

BitLocker encrypts entire volumes (drives) using AES encryption to protect data if the device is stolen or lost. Requires: Windows Pro, Enterprise, or Education (not available on Home). TPM (Trusted Platform Module) chip: stores the BitLocker encryption key. TPM version 1.2 or 2.0 supported. Without TPM: BitLocker can use a USB startup key instead (less convenient). Setup: Control Panel → BitLocker Drive Encryption → Turn on BitLocker. Recovery key: generated during setup — must be saved to Microsoft account, USB drive, Active Directory, or printed. The recovery key is the ONLY way to unlock the drive if the password is forgotten or TPM detects unauthorized hardware changes. BitLocker To Go: encrypts removable drives (USB drives, SD cards). Manage BitLocker: manage-bde command-line tool. Suspend BitLocker before BIOS updates or hardware changes — BitLocker detects these as tampering.

Windows Defender Antivirus

Windows Defender Antivirus is the built-in antivirus in Windows 10/11. Real-time protection: monitors files, downloads, and running processes. Definitions: signature database updated via Windows Update. Access: Windows Security → Virus & threat protection. Scan types: Quick scan (common locations), Full scan (entire disk — time-consuming), Custom scan (specific folders). Microsoft Defender Offline scan: boots outside Windows to scan — effective against rootkits. Exclusions: Settings → Virus & threat protection → Manage settings → Add or remove exclusions. When third-party antivirus is installed, Windows Defender automatically deactivates (or enters passive mode in Windows 10). Cloud-delivered protection: uses Microsoft cloud for enhanced detection of new threats. Controlled Folder Access: blocks unauthorized programs from modifying protected folders (protects against ransomware). Block at first sight: cloud-based rapid analysis of suspicious files.

User Account Control (UAC)

UAC prompts for confirmation when applications attempt to make system changes. Prevents malware from silently making administrative changes. UAC prompt types: Consent prompt (admin account — just click Yes), Credential prompt (standard user — enter admin username and password), Informational (no risk). UAC levels (Control Panel → User Accounts → Change User Account Control settings): Always notify (most restrictive), Notify when apps try to make changes (default), Notify when apps try to make changes without dimming (less secure), Never notify (UAC disabled — not recommended). Secure Desktop: when UAC prompts, the screen dims and the prompt runs on a separate secure desktop — prevents malicious programs from auto-clicking the prompt. Admin approval mode: even local administrators must approve UAC prompts (not automatically elevated). UAC bypass is a common malware technique — keep UAC at default or higher.

Local Security Policy

Local Security Policy (secpol.msc) configures security settings on Windows Pro/Enterprise computers. Key areas: Account Policies → Password Policy: minimum length, complexity, expiration, history. Account Policies → Account Lockout Policy: lockout threshold (number of failed attempts), lockout duration, reset counter. Local Policies → Audit Policy: which events to log in the Security event log. Local Policies → User Rights Assignment: which users can log on locally, shut down, access the computer from the network. Local Policies → Security Options: disable Guest account, interactive logon messages, LAN Manager authentication level. Windows Settings → Security Settings → Software Restriction Policies: block specific programs from running. Note: In domain environments, Domain Group Policy overrides local policy. secpol.msc not available on Windows Home.

Windows Firewall (Advanced)

Windows Defender Firewall with Advanced Security (wf.msc) provides granular control. Inbound rules: control traffic coming into the computer. Outbound rules: control traffic leaving the computer. Profiles: Domain, Private, Public — rules can apply to specific profiles. Creating rules: Action → New Rule → type (Program, Port, Predefined, Custom). Program rule: allow/block specific executable. Port rule: allow/block specific TCP/UDP port. Connection security rules: configure IPsec for encrypted/authenticated connections. Monitoring: view active firewall state, current rules, security associations. Logging: properties of each profile → Logging → enable dropped packets/successful connections log. Default behavior: inbound blocked unless rule allows; outbound allowed unless rule blocks.

Windows Security Center

Windows Security (Windows Security Center in older versions): central dashboard for all security features. Sections: Virus & threat protection (Defender Antivirus). Account protection (Windows Hello, sign-in options). Firewall & network protection. App & browser control (SmartScreen, Exploit protection, Controlled folder access). Device security (TPM status, Secure Boot, Core isolation/Memory integrity). Device performance & health. Family options. Security baseline: all sections should show green checkmarks for a healthy security posture. Action Center / Notification area: alerts for security issues (antivirus out of date, firewall off, automatic updates disabled). Windows Hello: biometric authentication — Face recognition (IR camera required), fingerprint, or PIN as alternatives to password.

Key exam facts — A+

  • BitLocker requires Windows Pro/Enterprise and TPM (or USB key without TPM)
  • BitLocker recovery key must be saved before enabling — only way to unlock if TPM changes
  • UAC: consent prompt for admins, credential prompt for standard users
  • Never notify UAC = UAC disabled = security risk
  • secpol.msc: password policy, lockout policy, audit policy — not available on Home
  • Windows Defender Offline scan: boots outside Windows, effective against rootkits
  • Controlled Folder Access: blocks ransomware from encrypting protected folders
  • wf.msc (Windows Defender Firewall with Advanced Security): granular inbound/outbound rules

Common exam traps

Practice questions — Windows Security

These questions are representative of what you will see on A+ exams. The correct answer and explanation are shown immediately below each question.

Q1.

A.A. The thief can access all data by connecting the drive to another computer
B.B. The data is protected — the drive is encrypted and unreadable without the BitLocker key
C.C. Windows will automatically wipe the drive after 10 failed login attempts
D.D. The data is only protected if the laptop has a password

Explanation: BitLocker encrypts the entire drive. Even if the thief removes the drive and connects it to another computer, the data is encrypted and unreadable without the BitLocker password or recovery key.

Frequently asked questions — Windows Security

What happens if I lose the BitLocker recovery key?

If you forget the BitLocker password AND lose the recovery key, the data is permanently inaccessible — no backdoor exists. This is by design. Always save the recovery key to at least two locations (Microsoft account and printed copy, or Active Directory). For enterprise, use Microsoft MBAM or Active Directory to centrally store recovery keys.

Practice this topic

A+practice questions

Test yourself on Windows Security

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Account Security

A+

Encryption Basics

A+

Windows Admin Tools

A+

Security Threats

A+